Skip to comments.
Dozens of popular iPhone apps are still exposing your login details
ZDNet ^
| May 4, 2017
| By Zack Whittaker
Posted on 05/05/2017 1:56:08 PM PDT by Swordmaker
Strafach, chief executive at Sudo Security Group (verify.ly), surveyed thousands of apps and found dozens that had badly implemented code that allowed the app to accept any certificate to establish an encrypted connection without properly validating it. That means a hacker within close range of a vulnerable device -- such as the same Wi-Fi network -- could trick the app into accepting a rogue certificate. The app doesn't know any better, and the hacker can steal your username and password.
Strafach disclosed the names of dozens of low-risk apps, but held off on disclosing the banking and medical apps in order to privately disclose the issue to each app developer.
Time has passed -- three months specifically, the standard time in any disclosure process -- and while some of the affected apps have been fixed, many have not.
Strafach confirmed that HipChat and Foxit PDF were the only two popular high-risk apps that were vulnerable, but were since fixed.
However, the majority of the rest of the apps were not fixed, and still expose user credentials.
Several banking apps, including Emirates NBD and 21st Century Insurance are still vulnerable to having the customer's username and password intercepted if the apps were subject to a man-in-the-middle attack.
CERT, the public vulnerability database run by Carnegie Mellon University, said in its disclosures posted Thursday that users of Think Mutual Bank and Space Coast Credit Union, which were also named in Strafach's list, should "not use affected versions of the application."
Also included in the list of apps that could expose usernames and passwords if intercepted include Yo, a social networking tool; Diabetes in Check, a blood glucose level checker; and Dolphin Web Browser, which promises the user "private" internet search.
And other apps, such as one that allows Indiana residents to vote, were vulnerable to attacks, said Strafach, though he didn't conduct extensive testing due to the sensitivity of the app.
Strafach said in a note that the easiest way to limit any issues is to use your phone's data plan, or not to use the app at all.
TOPICS: Business/Economy; Computers/Internet
KEYWORDS: applepinglist; appsecurity; ios; security
To: Swordmaker
Where is the answer for avoiding this stuff? Smoke signals?
2
posted on
05/05/2017 1:57:25 PM PDT
by
RitaOK
(Viva Christo Rey! Public Education/Academia are the farm team for more Marxists coming... infinitum.)
To: ~Kim4VRWC's~; 1234; 5thGenTexan; AbolishCSEU; Abundy; Action-America; acoulterfan; AFreeBird; ...
Dozens of not-so-popular "popular" iPhone and iPad Apps are exposing their users to man-in-the-middle attacks if the user uses them on an insecure WIFI network because the poorly written app doesn't properly validate authentication certificates. Although the discover of these flawed apps reported this problem to the publishers of these apps 90 days ago and some did update their apps to correct the authentication process, others have not. He advises to not use these apps until the publishers update them to be safe. I recommend you do not use any app with a risk of exposing financial or password exposure on ANY external WIFI network. PING! Thanks to TheBattman for the heads up.
Apple iOS Security Alert
Ping!
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
3
posted on
05/05/2017 2:02:05 PM PDT
by
Swordmaker
(This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
To: RitaOK
Where is the answer for avoiding this stuff? Smoke signals? That's one solution. I'd just not use banking while drinking coffee at Starbucks or sitting at an airport waiting for your flight. If you must, use your phone for a hotspot instead of the public WIFI.
4
posted on
05/05/2017 2:04:24 PM PDT
by
Swordmaker
(This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
Here is a list of the Oh so "popular" iOS Apps that the article claims you should worry about because they are mid and high risk to exposing some data if used on an insecure WIFI public network. Notice how "popular" these apps are...
- HipChat Free group chat for teams & business by HipChat, Inc. (CVE-20178058) - FIXED
- Foxit PDF PDF reader, editor, form, signature by Foxit Corporation (CVE-20178059) - FIXED
- Panda Mobile Security by Panda Security, S.L. (CVE-20178060)
- Think Mutual Bank Mobile Banking App by Think Mutual Bank (CVE-20173213)
- Emirates NBD and Emirates NBD KSA by Emirates NBD Bank P.J.S.C (CVE-20175915)
- State Bank Anywhere by State Bank of India (CVE-20175901)
- Dollar Bank Mobile by Dollar Bank (CVE-20175905)
- "PayQuicker by PayQuicker (CVE-20175902)
- EFS Mobile Driver Source by Electronic Funds Source LLC (CVE-20175909)
- Diabetes in Check: Blood Glucose & Carb Tracker by Everyday Health, Inc (CVE-20175906)
- Supermóvil by Banco Santander Mexico SA Mexico (CVE-20175911)
- FOREXTrader for iPhone by FOREX.com (CVE-20175912)
- TradeKing Forex for iPhone by TradeKing (CVE-20175913)
- Banque Zitouna by DOT IT (CVE-20175914)
- Americas First FCU Mobile Banking by Americas First Federal Credit Union (CVE-20175916)
- BCR Móvil by Banco de Costa Rica (CVE-20175918)
- 21st Century Insurance by 21st Century Insurance (CVE-20175919)
- Indiana Voters by Quest Information Systems
- Dolphin Web Browser Fast Private Internet Search by MoboTap Inc. (ellentube by Warner Bros.
- Yo. by Life Before Us, LLC
- Radio Javan by RADIO JAVAN INC.
- ellentube by Warner Bros.
- Zipongo Healthy Recipes and Grocery Deals by Zipongo, Inc.
- Interval International by Interval International
- ShopWell Healthy Diet & Grocery Food Scanner by YottaMark, Inc.
- PUMATRAC by PUMA AG
Ho hum . . . so disappointing that someone will find my password to EllenTube and watch Ellen Degenerate. . .
5
posted on
05/05/2017 2:23:42 PM PDT
by
Swordmaker
(This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
To: Swordmaker
6
posted on
05/05/2017 4:38:18 PM PDT
by
Nifster
(I see puppy dogs in the clouds)
To: Swordmaker
7
posted on
05/05/2017 4:39:48 PM PDT
by
Nifster
(I see puppy dogs in the clouds)
To: Swordmaker
I’m not sure they found them all. There are many who use the same app developer/framework for specific types of apps. Notice how many banking apps look VERY similar and function the same. It’s likely because the core code is the same among them with only customization done (kind of like web pages done with the same Wordpress template, just the colors and images/content change, but they all look very similar).
LOTS of banks (especially smaller banks) use the same basic app - and I doubt these folks were able to track down and test all of them.
But I do agree, none appear to be insanely popular!
8
posted on
05/05/2017 7:24:28 PM PDT
by
TheBattman
(Gun control works - just ask Chicago...)
To: Nifster
The only one I’ve specifically heard of is the FOREX app from when I was investigating different online investment directions and knew that FOREX had an app. But that’s about it for the ones I’ve heard of, thankfully.
9
posted on
05/05/2017 7:25:34 PM PDT
by
TheBattman
(Gun control works - just ask Chicago...)
To: Swordmaker
Disappointed to see Dolphin on the list. Love that browser for watching Youtube videos and doing searches. Often it’s faster than Safari on my machine, but not always.
10
posted on
05/05/2017 7:33:12 PM PDT
by
The Westerner
(Protect the most vulnerable: get the government out of medicine and education!)
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson